NIST eyes new approach to securing its software

Keep data secure when contractors are involved

Security experts recommend that top agency managers take these steps in dealing with their contractors to assure data security:

Properly train contractors in agency security policies and practices.

Limit the sensitive information that contractors collect or process to the minimum necessary to perform their duties. Limit the period of time that contractors retain this data.

Establish information security requirements for contractors and subcontractors. These should include mandatory minimum-security requirements and controls specified in FIPS-200 and NIST Special Publication 800-53.

Periodically test and evaluate the effectiveness of security controls. Contractors should assess and provide supporting evidence to agency of controls' effectiveness in the form of a NIST SP-800-37 accreditation package.

Assign an agency official to authorize or accredit the information system.

Make sure the contractor provides ongoing reports based on continuous monitoring.

When agencies start installing the Microsoft Vista operating system over the next few years, IT managers will have to deal with more than the bugs and unknown hiccups in the software. They will have to figure out how to secure software with at least 35 million lines of code.

And Microsoft's software is just one of many complex applications that require detailed planning and procedures to secure, once integrators or agency IT workers have installed the software.

'When I first started, back a couple of decades ago, we talked about building trusted computing systems where the kernel of an operating system was a couple thousand lines of code,' said Ron Ross, the National Institute of Standards and Technology's senior computer scientist. 'The problem has gotten incredibly complex.'

A new look

Ross said NIST scientists need to review how they evaluate the security of products, and how they relay that information to agencies and integrators.

Ross and NIST are trying to lighten some of the burden by improving the standards by which agencies secure their systems.

NIST last month published the draft of Special Publication 800-53, which focuses on improving the clarity of security controls, eliminating redundancies among controls and expanding the supplemental guidance for controls in key areas.

One of those areas is media protection, which includes personal digital assistants and mobile storage devices, and updating security controls after security incidents. NIST also included information on using external systems and service providers, such as an agency Lines of Business shared-services pro-vider or private-sector data storage services.

The final 800-53 is scheduled to be finished in December.

NIST laid out 17 minimum requirements for all federal systems to meet in the draft of 800-53.

'Stop chasing your tail'

These requirements will 'stop 95 percent of the attacks,' Ross said. 'The other 5 percent are so nasty they cannot be stopped. But if you are stopping 95 percent of the attacks, then you can focus on the other 5 percent and stop chasing your tail.'

Alan Paller, research director of the SANS Institute of Bethesda, Md., said the best way to ensure software and services are secure is for agencies to make it the vendor's responsibility.

'We can only solve the problem by putting the problem on the vendor, because they know what settings are needed to secure your systems,' Paller said at a recent conference sponsored by the American Council for Technology and Industry Advisory Council. 'There are 140 organizations that have come together to agree on common procurement specs, and they already are buying new systems with security baked in them.'

Ross said this is critical, especially as agencies and vendors work more closely together.

'It's about the common foundation of trust,' Ross said. 'The idea is to get as many effective controls versus vulnerabilities as possible within your resources. Then you cut the risk to your mission.'